Ransomware Group: DEVMAN

VICTIM NAME: dailynews[.]co[.]th

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the DEVMAN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak pertains to the website of a Thai news outlet, identified by the domain dailynews.co.th. The attack was discovered on May 9, 2025, and involves a ransom demand of approximately 375,000 USD. The incident was attributed to a hacker group known as “devman.” The breach has resulted in multiple types of information-stealing malware, including variants such as Raccoon, RedLine, and Vidar, which have been active on the compromised system. Despite no employee data being publicly available, the attack appears to target financial extortion, and the threat actors may have accessed sensitive internal data or communications. The leak page indicates ongoing investigations and suggests that data leakage includes information related to the news organization’s operations. The presence of screenshots or visual evidence is not confirmed, but the attack highlights the risk to information assets within the media industry in Thailand. Efforts to mitigate such threats are crucial for maintaining data integrity and organizational reputation.

The cyberattack is linked to a hacker group named “devman,” which appears to focus on targeting organizations across various sectors. The group has demonstrated access to multiple infostealer tools, indicating they may have compromised user credentials or internal systems. The attack involved malware variants like Lumma and StealC, used to extract data from compromised devices. The leak page does not disclose specific PII but underscores the significance of cybersecurity precautions for organizations vulnerable to ransomware threats. Although no detailed visual evidence or screenshots are available, the incident underscores the importance of proactive measures such as network monitoring, employee training, and timely incident response. The targeted organization operates in Thailand and is involved in news dissemination, making the attack particularly concerning for media freedom and information security in the region.